cbcvebase.

Inc2734 Mw Wp Form vulnerabilities

4 known vulnerabilities affecting inc2734/mw_wp_form.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2

Vulnerabilities

Page 1 of 1
CVE-2023-6316P2CRITICALCVSS 9.8≤ 5.0.12024-01-11
CVE-2023-6316 [CRITICAL] CWE-434 CVE-2023-6316: The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
nvd
CVE-2023-6559P2CRITICALCVSS 9.8≤ 5.0.32023-12-16
CVE-2023-6559 [CRITICAL] CWE-22 CVE-2023-6559: The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make s
nvd
CVE-2026-4347P2HIGHCVSS 8.1≤ 5.1.02026-04-02
CVE-2026-4347 [HIGH] CWE-22 CVE-2026-4347: The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easi
nvd
CVE-2026-5436P3HIGHCVSS 8.1≤ 5.1.12026-04-08
CVE-2026-5436 [HIGH] CWE-22 CVE-2026-5436: The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's path_join() — a function that returns absolute paths unchanged, discarding the
nvd
Inc2734 Mw Wp Form vulnerabilities | cvebase